[Firewall] Block SMTP traffic out

Dennis van der Meer iptables at greenchem-adblue.com
Thu Mar 4 11:51:40 CET 2010


Hi,

I finally found the solution to my problem.
First I upgraded to the latest version which ofcourse did not solve the
problem since nothing major was changed.
Then I went through the config file since obviously something must be
wrong in there.

I came upon the TRUSTED_IF setting and I had my LAN interface in there.
It seems that when I do that ALL traffic is accepted
(which is stated in the doc above) regardless of any deny rules anywhere
else.
Since it said "other trusted network interfaces" in the doc I figured
out that I probably should not have put my LAN interface
in there. Now everything is solved and port 25 can be blocked without
any issues.

Thanks you Arno en Lonnie for all your help.


Dennis

-----Original Message-----
From: firewall-bounces at rocky.eld.leidenuniv.nl
[mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno van
Amersfoort
Sent: woensdag 3 maart 2010 15:17
To: Arno's IPTABLES firewall script
Subject: Re: [Firewall] Block SMTP traffic out

Weird: Just tested it here with 1.9.2j and this just works and I don't 
recall any relevent changes between 1.9.2j and 1.9.2d that may explain 
this. What do you "exactly" mean by not working?: Your mailserver not 
being able to connect to an outside host on port 25, or your other 
internal hosts still being able to access port 25 on external hosts?

a.

Dennis van der Meer wrote:
> root at linuxserver:/etc/arno-iptables-firewall#
> /usr/local/sbin/arno-iptables-firewall start
> Arno's Iptables Firewall Script v1.9.2d
>
------------------------------------------------------------------------
> -------
> Sanity checks passed...OK
> Checking/probing IPv4 Iptables modules:
>  Module check done...
> Setting the kernel ring buffer to only log panic messages to the
console
> Setup kernel settings:
>  Setting the max. amount of simultaneous connections to 16384
>  Setting default conntrack timeouts
>  Enabling protection against source routed packets
>  Enabling packet forwarding
>  Enabling reduction of the DoS'ing ability
>  Enabling anti-spoof with rp_filter
>  Enabling SYN-flood protection via SYN-cookies
>  Disabling the logging of martians
>  Disabling the acception of ICMP-redirect messages
>  Setting default TTL=64
>  Disabling ECN (Explicit Congestion Notification)
>  Flushing route table
>  Kernel setup done...
> Initializing firewall chains
>  Setting default INPUT/FORWARD policy to DROP
> (Re)loading list of BLOCKED hosts from
> /etc/arno-iptables-firewall/blocked-hosts...
>  1 line(s) read. 1 host(s) blocked.
> Using loglevel "info" for syslogd
> 
> Setting up firewall rules:
>
------------------------------------------------------------------------
> -------
> Enabling setting the maximum packet size via MSS
> Enabling mangling TOS
> Logging of stealth scans (nmap probes etc.) enabled
> Logging of packets with bad TCP-flags enabled
> Logging of INVALID TCP packets disabled
> Logging of INVALID UDP packets disabled
> Logging of INVALID ICMP packets disabled
> Logging of fragmented packets enabled
> Logging of access from reserved addresses enabled
> Setting up (antispoof) INTERNAL net(s): 192.168.2.0/24 172.16.0.0/24
> Logging outgoing TCP port(s): 25
> Reading custom rules from /etc/arno-iptables-firewall/custom-rules
> Checking for (user) plugins in
> /usr/local/share/arno-iptables-firewall/plugins...
>  IPsec VPN plugin v0.70BETA
>   Allowing internet hosts 0/0 to access the VPN service
>  Loaded 1 plugin(s)...
> Setting up INPUT policy for the external net (INET):
>  Logging of explicitly blocked hosts enabled
>  Logging of denied local output connections enabled
>  Denying ANYHOST for TCP port(s) (NO LOG): 113
>  Packets will NOT be checked for private source addresses
>  (92.64.243.27) Allowing ANYHOST for TCP port(s): 80
>  (eth0) Allowing ANYHOST for TCP port(s): 1723,5500
>  (92.64.243.26) Allowing ANYHOST for UDP port(s): 500,4500
>  Allowing ANYHOST for IP protocol(s): 47,50,51
>  Allowing ANYHOST to send ICMP-requests(ping)
>  Logging of dropped ICMP-request(ping) packets enabled
>  Logging of dropped other ICMP packets enabled
>  Logging of possible stealth scans enabled
>  Logging of (other) connection attempts to PRIVILEGED TCP ports
enabled
>  Logging of (other) connection attempts to PRIVILEGED UDP ports
enabled
>  Logging of (other) connection attempts to UNPRIVILEGED TCP ports
> enabled
>  Logging of (other) connection attempts to UNPRIVILEGED UDP ports
> enabled
>  Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts
> enabled
>  Logging of ICMP flooding enabled
> Setting up OUTPUT policy for the external net (INET):
>  Allowing all (other) ports/protocols
> Applying INET policy to external interface: eth0 (without an external
> subnet specified)
> Setting up INPUT policy for internal (LAN) interface(s): eth1
>  Allowing ICMP-requests(ping)
>  Allowing all (other) ports/protocols
> Accepting ALL INPUT traffic from trusted interface(s): eth1
> Accepting ALL FORWARD traffic for trusted interface(s): eth1
> Setting up trust FORWARD policy for interface(s): eth1
> Setting up FORWARD policy for internal (LAN) interface(s): eth1
>  Logging of denied LAN->INET FORWARD connections enabled
>  Setting up LAN->INET policy:
>   Allowing 192.168.2.4(LAN) to 0/0(INET) for TCP port(s): 25
>   Denying 0/0(LAN) to 0/0(INET) for TCP port(s): 25
>   Allowing ICMP-requests(ping)
>   Denying TCP port(s): 25
>   Allowing all (other) TCP ports
>   Allowing all (other) UDP ports
>   Allowing all (other) protocols
> Enabling masquerading(NAT) via external interface(s): eth0
>  Adding (internal) host(s): 192.168.2.0/24 172.16.0.0/24
> (eth0) (92.64.243.26) Forwarding(NAT) TCP port(s) 0/0:443,1110 to
> 192.168.2.4
> Security is ENFORCED for external interface(s) in the FORWARD chain
> 
> Mar 03 14:38:07 All firewall rules applied.
> 
> -----Original Message-----
> From: firewall-bounces at rocky.eld.leidenuniv.nl
> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno
van
> Amersfoort
> Sent: woensdag 3 maart 2010 14:20
> To: Arno's IPTABLES firewall script
> Subject: Re: [Firewall] Block SMTP traffic out
> 
> Weird, looks all ok. What's the output of 
> /usr/local/sbin/arno-iptables-firewall start ?
> 
> 
> Dennis van der Meer wrote:
>> Sorry, but it doesn't work. I have added my firewall.conf because
> maybe
>> something is overriding the settings.
>>
>>
>> Dennis
>>
>> -----Original Message-----
>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of Arno
> van
>> Amersfoort
>> Sent: woensdag 3 maart 2010 12:47
>> To: Arno's IPTABLES firewall script
>> Subject: Re: [Firewall] Block SMTP traffic out
>>
>> What you probably want it:
>>
>> LAN_INET_DENY_TCP="25"
>> LAN_INET_HOST_OPEN_TCP="mailserver_lan_ip>0/0~25"
>>
>> That should do it. It simply blocks all TCP port 25 traffic but since

>> the HOST_OPEN rules overrule the DENY_TCP rule it will create an 
>> exception for your mailserver....
>>
>> a.
>>
>> Dennis van der Meer wrote:
>>> Hi Lonnie,
>>>
>>> This unfortunately does nothing.
>>> I tried DENY_TCP="25" and it does nothing. I don't see anything in
> the
>>> log
>>> I tried REJECT_TCP="25" and it also does nothing. Once again I don't
>> see
>>> anything in the log.
>>> I tried HOST_DENY_TCP="0/0~25" and it also does nothing. Also
nothing
>> in
>>> the log appears.
>>> I also tried LAN_INET_DENY_TCP="25" and, you guessed it, it does
>>> nothing. Same with log information.
>>> And I have them all activated at once but absolutely nothing is
>> blocked
>>> at all.
>>>
>>> I can block ports from outside to inside but nothing from inside to
>>> outside is blocked, unless it is
>>> on the Linux server directly.
>>>
>>> I can still telnet from my client to a server on port 25. All
clients
>>> have my Linux system
>>> as the default gateway so it should do something.
>>>
>>>
>>> P.s. The version I use is 1.9.2d
>>>
>>>
>>> Dennis
>>>
>>> -----Original Message-----
>>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of
Lonnie
>>> Abelbeck
>>> Sent: dinsdag 2 maart 2010 14:27
>>> To: Arno's IPTABLES firewall script
>>> Subject: Re: [Firewall] Block SMTP traffic out
>>>
>>> Dennis,
>>>
>>> Ahhh, I didn't fully understand your wishes...
>>>
>>>
LAN_INET_HOST_OPEN_TCP="internal_mail_server>external_mail_server~25"
>>> LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>
>>> should block all outbound SMTP, except for your internal mail server
>> to
>>> your external relay mail server.
>>>
>>> Is this what you want?
>>>
>>> Lonnie
>>>
>>>
>>> On Mar 2, 2010, at 3:31 AM, Dennis van der Meer wrote:
>>>
>>>> Hi Lonnie,
>>>>
>>>> I tried setting the 2 settings that you gave me but I am still able
>> to
>>>> connect to port 25 of our
>>>> providers email server from my workstation. Access to port 25 to
any
>>>> system on the internet should be blocked for the entire
>>>> LAN except for 1 system.
>>>> Since I use NAT to forward all internal traffic to the outside, can
>>> this
>>>> be the problem? Because when I log traffic I only
>>>> see a message in the log when the Linux server forwards an email to
>>> our
>>>> Exchange server (so on the server directly).
>>>>
>>>>
>>>> P.s. I did do a reboot after the changes.
>>>>
>>>>
>>>> Dennis
>>>>
>>>> -----Original Message-----
>>>> From: firewall-bounces at rocky.eld.leidenuniv.nl
>>>> [mailto:firewall-bounces at rocky.eld.leidenuniv.nl] On Behalf Of
> Lonnie
>>>> Abelbeck
>>>> Sent: dinsdag 2 maart 2010 4:56
>>>> To: Arno's IPTABLES firewall script
>>>> Subject: Re: [Firewall] Block SMTP traffic out
>>>>
>>>> Dennis,
>>>>
>>>> You are on the right track, but try:
>>>>
>>>> LAN_INET_HOST_OPEN_TCP="0/0>ip_of_mail_server~25"
>>>> LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>>
>>>> When testing, understand that established states are maintained
when
>>> the
>>>> firewall is 'restart'-ed, so a reboot might be in order to clear
out
>>> any
>>>> previous outbound TCP 25 states.
>>>>
>>>> Lonnie
>>>>
>>>>
>>>> On Mar 1, 2010, at 8:12 AM, Dennis van der Meer wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> We are currently having a problem that more and more of our email
> is
>>>> being blocked since we are on
>>>>> a spam list. Since we don't spam ourselves (and I am certain of
it)
>> I
>>>> think we have a spam bot running in
>>>>> our network. Unfortunately the network is too large to scan each
> and
>>>> every computer for any spam bots
>>>>> so I would like to do something else instead.
>>>>> We have Outlook clients that connect to an Exchange server. The
>>>> Exchange server is the only server that
>>>>> will send email out. All email traffic goes through a Linux
gateway
>>>> that runs the Arno iptables firewall script.
>>>>> So I was thinking of blocking port 25 and logging attempts for
> every
>>>> machine but the mail server.
>>>>> I already tried to set this in the firewall script but somehow it
> is
>>>> not working as it should.
>>>>> I tried setting the following already:
>>>>>                LAN_INET_HOST_OPEN_TCP="ip_of_mail_server>0/0~25"
>>>>>                LAN_INET_HOST_DENY_TCP="0/0>0/0~25"
>>>>>
>>>>> Can anyone tell me what to set in the config to accomplish what I
>>>> want?
>>>>> Dennis
>>>>>
>>>>> _______________________________________________
>>>>> Firewall mailing list
>>>>> Firewall at rocky.eld.leidenuniv.nl
>>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>>> http://rocky.eld.leidenuniv.nl
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>>> _______________________________________________
>>>> Firewall mailing list
>>>> Firewall at rocky.eld.leidenuniv.nl
>>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>> http://rocky.eld.leidenuniv.nl
>>>>
>>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>
>>
>
------------------------------------------------------------------------
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
------------------------------------------------------------------------
---
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl
_______________________________________________
Firewall mailing list
Firewall at rocky.eld.leidenuniv.nl
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl


More information about the Firewall mailing list